This is another subject but yes PAD is mssing a way to protect simple variables.
If you work with password, never pass them in a standard variable (or they will be visible in the execution logs for every co-owner of the flow).
Overall, i've noted two ways you can work with passwords:
1- Directly hard code it in a "populate text field" action, and selecting the correct option (see picture, sorry it's in French). If you select the right option, your password will not be visible/retrievable from the execution logs.
1-Protected input in a textfield
2- Use Input/Output variables (in your case probably input as you wouldn't want the program to return a password at the end). You can select the "sensitive text" option and the variable will be "protected". Note that at the start of your flow, you'll be prompted to initialize these variables. However, you can simply add a default value and leave the prompt empty at start.
2-Protected input variable
However, in both case, you can always see the password if you can enter the code: you just have to click on the little "eye" logo to show hidden password.
This can be mitigated using the right policy when its comes to roles and authorizations on a flow.
I suggest to only allow the platform admin and the devs to "own" the flows so they can enter the code and edit it.
Everybody else should only have the permission to run a flow (so that they can't access the code or modify it).
Also be careful if you send a copy of your code and it might contains sensitive data.
Hope i was clear enough,
Best regards
